You should deal with business risk BEFORE disaster strikes.
Business risk deal with negative impacts to an organizations bottom line. If harm should strike exposed weaknesses, the business needs to know how they will deal with it and how do they adjust to the situation.
A Business Impact Analysis (BIA) is sometimes done to identify the threats, vulnerabilities, assess, the likelihood of threats acting on identified weakness and the impact if they do. DIARMF pulls for NIST and the NIST is robust enough to address address BIA / business risks. The main documents dealing with business risks are 800-39, 800-30, and 800-34.
NIST SP 800-39, Manage Information Security Risk deals with the process of business risks by way of explaining the risk management necessary for an organization.
NIST SP 800-30, Guide for Conducted Risk Assessment describe the tasks and steps of business impact assessments:
A Business Impact Analysis (BIA) identifies high-value assets and adverse impacts with respect to the loss of integrity or availability. DHS Federal Continuity Directive 2 provides guidance on BIAs at the organization and mission/business process levels of the risk management hierarchy, respectively.
NIST Special Publication 800-34 provides guidance on BIAs at the information system level of the risk management hierarchy.
One of the biggest business risks capture while doing business impact assessments is interruptions of service. After all, if the business is not DOING business then mission, work and revenue stop. So the business/organization and or department must have a contingency plan. NIST Special Publication 800-34, Contingency Planning Guide for Federal Information Systems covers what to do in case of interruptions.
A contingency plan covers what to do in the event of service disruptions including procedures, and technical measures that can get systems back quickly for a while until the disruption passes. NIST 800-34 covers information system contingency plans (ISCPs) who documents them and how. This is also a major part of the security controls addressed in 800-53/DIARMF.
Leave a Reply
You must be logged in to post a comment.